PHPackages frbit/message-signer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. frbit/message-signer AbandonedArchivedLibrary[HTTP & Networking](/categories/http) frbit/message-signer ==================== A flexible message signing and verification framework. Includes Guzzle3 and Guzzle4 Plugin. 0.2.1(11y ago)71.3kMITPHPPHP >=5.4.0 Since Mar 5Pushed 6y ago1 watchersCompare [ Source](https://github.com/fortrabbit/message-signer)[ Packagist](https://packagist.org/packages/frbit/message-signer)[ RSS](/packages/frbit-message-signer/feed)WikiDiscussions master Synced 3d ago READMEChangelogDependencies (7)Versions (8)Used By (0) [![Build Status](https://camo.githubusercontent.com/a11bbe5e0014f2c50dc92e770fa737c83aa9e481a5caedbfe19fb766e951fd7e/68747470733a2f2f7472617669732d63692e6f72672f666f72747261626269742f6d6573736167652d7369676e65722e706e673f6272616e63683d6d6173746572)](https://travis-ci.org/fortrabbit/message-signer) Update ====== [](#update) > **This project is abandoned**. This repository is still here for documentation purpose. Message Signer ============== [](#message-signer) A flexible message signing and verification framework. So what do you do with it? For example: Write a HTTP REST API server. Sign your client requests with a private key. Verify the request with a public key on your API server. Installing via Composer ----------------------- [](#installing-via-composer) ``` php composer.phar require "frbit/message-signer:*" ``` Features -------- [](#features) - [OpenSSL](http://php.net/manual/en/book.openssl.php), [phpseclib](http://phpseclib.sourceforge.net/) or [HMAC](http://php.net/manual/en/function.hash-hmac.php) as crypto providers. - [Symfony HttpFoundation](http://symfony.com/doc/current/components/http_foundation) (including Laravel requests, by inheritance) and [Guzzle (both: 3 and 4)](http://guzzle.readthedocs.org/) request objects as message sources - Very flexible interface - Guzzle3 and Guzzle4 plugin included (might be outsourced someday..) - Easily expandable Signature transport formats --------------------------- [](#signature-transport-formats) There are three essential information required to verify the validity of a message: - Key: To identify the client (the one sending the signed message) and to select the correct key to verify the signature. - Date: It's not *really* necessary. It allows the server (the one receiving and validating the message) to accept only "recent" messages - otherwise attackers could at least re-send intercepted messages easily. - Signature: Well, to proof the validity of the message. Those signature information can be transported in various formats. There are three formats built-in and additional/custom formats can be easily added. The formats are implemented in the `\Frbit\MessageSigner\Message\Handler\*` classes. ### Multiple header [](#multiple-header) Default format. Here, each information is stored in a dedicated message header (eg HTTP request header). ``` X-Sign: The-signature-content X-Sign-Key: The-key-name X-Sign-Date: The-date ``` Of course, the names of the headers are arbitrary - as long as client and server know both about them. ``` $builder = new \Frbit\MessageSigner\Builder(); $builder->setMessageHandler(new \Frbit\MessageSigner\Message\Handler\DefaultHeaderHandler()); $signer = $builder->build(); ``` ### Single Header [](#single-header) In this format, all information are stored (embedded) in a single, URL encoded header. ``` X-Sign: sign=The-signature-content&key=The-key-name&date=The-date ``` Again: the name of the header is arbitrary... ``` $builder = new \Frbit\MessageSigner\Builder(); $builder->setMessageHandler(new \Frbit\MessageSigner\Message\Handler\EmbeddedHeaderHandler()); $signer = $builder->build(); ``` ### Parameter [](#parameter) In some scenarios it makes sense to store the information in message parameters (eg HTTP request query string). ``` /foo?sign=The-signature-content&key=The-key-name&date=The-date ``` As before: parameter names (`sign`, `date`, `key`) are arbitrary. ``` $builder = new \Frbit\MessageSigner\Builder(); $builder->setMessageHandler(new \Frbit\MessageSigner\Message\Handler\ParameterHandler()); $signer = $builder->build(); ``` Examples -------- [](#examples) Have a look in the `examples/` folder for additional code examples. ### Send a signed request with guzzle [](#send-a-signed-request-with-guzzle) ```